NHS organisations have been told to strengthen defences against cyberattacks, following Russia’s invasion of Ukraine.

An email seen by HSJ [paywall] from NHS England (NHSE) chief operating officer, Sir David Sloman, advised trusts to ensure their IT systems were “patched and protected, and that immutable backups are in place”. It added that further guidance would be issued to technical teams later this week.

WHY IT MATTERS

Healthcare systems are susceptible to cyberattacks which cause havoc and put patient safety at risk. The NHS was hit hard by the WannaCry ransomware attack in 2017, which disrupted around 81 NHS trusts and 600 primary care organisations, costing an estimated $115 million (£86M) and causing more than 19,000 appointments to be cancelled.

Although there have been no specific threats to the UK from the Kremlin, the National Cyber Security Centre (NCSC) has noted a “historical pattern of cyberattacks on Ukraine with international consequences.” It called on UK organisations to strengthen their online defences by following its cyber threat guidance.

Earlier this month, chief of the defence staff Admiral Sir Tony Radakin advised the Cabinet that the UK should be ready for cyberattacks from Russia over its support for Ukraine.

THE LARGER CONTEXT

Last week health secretary Sajid Javid said the UK was shoring up cyber resilience in health and care, backed by more than £300 million of investment since 2017.

“The shocking events of the past few weeks have reminded us of cyberattacks and how established a form of conflict they’ve now become, and we can only make these digital reforms if we keep the system safe from those who want to cause us harm,” he told the HSJ Digital Transformation Summit.

In 2021 Ireland’s health service was hit by a cyberattack that led to systems being shut down as a precaution.

Meanwhile, the American Hospital Association has also raised concerns about potential consequences of Russia's invasion of Ukraine for the US healthcare industry.

ON THE RECORD

Dr Saif F Abed, partner and Cybersecurity Advisory Services, The AbedGraham Group said: “The NHS is first and foremost national critical infrastructure and so must be considered a viable target during these heightened geopolitical tensions. The best response is to focus clearly on one objective only – preserving patient safety. That can be achieved through a two-fold strategy.

“The obvious route that has already been reported is purely about technology – patching and having backups of key clinical systems and data. However, this is not enough and even the best technology alone cannot prevent persistent attackers from succeeding therefore it is essential that trusts put in place Clinical Incident Response Plans (CIRPs). This means identifying key workflows, systems and applications and training staff to be able to operate without their availability using alternative means even paper. This is how you take the sting out of the tail of a disruptive cyberattack and maintain acceptable levels of patient safety.”